Log-in details and other personal information may have been exposed for thousands of websites due to Cloudbleed breach. The Cloudbleed leak was discovered on 17th February by Tavis Ormandy who works as part of Google’s ‘Project Zero’ who are a team of security analysts dedicated to finding zero-day vulnerabilities. The vulnerability was found in Cloudflare’s code, a company who provide CDN services for thousands of huge websites.

A Content Distribution Network (CDN) takes static content of your website and places it in locations around the world. When a user then visits the site that content is then loaded from the closest location to them to increase load times and distribute the load from your main hosting provider.

Some of the sites using Cloudflare services are OKCupid, ThePirateBay, Fiverr, Codepen, Fitbit, Uber and much more. You can find an unofficial list of websites that use Cloudflare at Github. Not all websites that appear on this list will have been compromised but there is the possibility that they potentially have been.

The breach is named ‘Cloudbleed’ after the well known ‘Heartbleed’ breach that was discovered in 2014. Heartbleed would allow people to read the memory of the systems running vulnerable versions of OpenSSL. Both Heartbleed and Cloudbleed were web server issues which would return sensitive data from buffers. Unlike Heartbleed where each web server would have to be patched, Cloudbleed only affects Cloudflare sites. There is no need to carry out an attack to exploit the Cloudbleed vulnerability. Anyone who visits a Cloudflare site could have found data from a previous request to any other Cloudflare site. Some of the data that was being returned were cookies, passwords, encryption keys, private messages and much more sensitive information. There were three features that were not properly implemented with a HTML parser that Cloudflare uses to increase performance. These features were:

Automatic HTTPS Rewrites (since 22 nd September, 2016)

Server-Side Excludes (since 30 th January, 2017)

Email Obfuscation (since 13 th February, 2017)

According to Cloudflare the data that was actually leaked was relatively small with around 1 in every 3,300,000 HTTP requests resulting in memory leak. Although considering that Cloudflare provides services for thousands of sites worldwide and the vulnerability lasted for about six months there is sufficient reason to be concerned. As soon as the breach was discovered Tavis contacted Cloudflare who in turn organised a team of engineers to fix the problem within 7 hours.

The CTO of Cloudflare, John Graham-Cumming, stated that no malicious activity was detected as a result of the bug. With a possible 6 months of the bugs existence and search engines caching sensitive information it is unclear how much data has actually been leaked. The aftermath of Cloudbleed was a challenge in itself as Cloudflare had to contact search engine providers such as Google, Bing and Yahoo to ask them to manually scrub the data. If you think you could be compromised or are at risk, now would be a good time to change any passwords you may have to any of the affected sites.

What can you as a website owner do?

Firstly you should assess whether or not you have been affected. If you are using Cloudflare and allow users to login then you should consider expiring all login tokens for the affected period. You should probably also force users who logged in or signed up within that time frame to reset their passwords. Don’t forget to warn the users about the recent breach. Let them know what is going on and what you have planned to resolve the issue.

What can the user do?

There are a few things that you as a user can do to minimize risk in the case of breaches like this. It is recommended not to use the same password across sites. Once your password is exposed for one site hackers will more than likely assume that you have used the password for more than one account. Remembering all these different passwords can be tricky so consider using a password manager like LastPass. Some services provide support of two-factor authentication which, when enabled, provides an extra layer of security. Usually you will be sent a text message or have to use an app which will provide you a code that is changing every 30 seconds or so. If your password has been compromised it will be very difficult for someone to guess the code before it changes. If you would like to learn more about the bug Cloudflare has produced an in-depth incident report that you can read through.